Users of “grey market” cameras who cannot update due to this unauthorized firmware will still be susceptible to these vulnerabilities. In the case of these “grey market” devices, updating the firmware may result in converting the camera’s interface back to its original state. These cameras often use unauthorized firmware created by sources outside of Hikvision.
However, Hikvision is aware of so-called “grey market” cameras which are sold via unauthorized channels. Hikvision has not mitigated the password in configuration file vulnerability. Hikvision has released updates to mitigate the improper authentication vulnerability in cameras sold through authorized distributers. Successful exploitation of these vulnerabilities could lead to a malicious attacker escalating his or her privileges or assuming the identity of an authenticated user and obtaining sensitive data. Hikvision reports that the following cameras and versions are affected: Vulnerabilities: Improper Authentication, Password in Configuration File AFFECTED PRODUCTS ATTENTION: Remotely exploitable/low skill level to exploit.
